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Asset Management 


Comprehensive Sensors 


Qualys Sensors provide the most comprehensive approach to collecting all your asset 
and software inventory data. This lab provides an overview of the various Qualys 
Sensors, with some special attention given to the Qualys Cloud Agent. 


Scanner Appliance 


Qualys scanner appliances are available in three different varieties: 1) Internet-based appliances 
located within the Qualys Cloud Platform, 2) Physical appliances, and 3) Virtual Appliances. 


Any Qualys user with scanning privileges has access to Qualys’ pool of Internet-based Scanner 
Appliances. These appliances are ideal for targeting and scanning other Internet-facing assets. 


Qualys physical and virtual scanner appliances can be deployed throughout your business or 
enterprise architecture. 


Citrix XenServer 

Microsoft Hyper-V 

VMware Workstation, Workstation Player, Fusion 
VMware ESXi, vCenter Server (standard) 
VMware vCenter Server (vApp) 

OpenStack 

Microsoft Azure 

Google Cloud Platform 


For a detailed discussion of Scanner Appliance deployment and usage, please see the “Scanning 
Strategies and Best Practices” training course (qualys.com/learning). 


Cloud Agent 


Qualys Cloud Agents install locally on the host assets they protect, sending all collected 
data to the Qualys Cloud Platform, for analysis. 


Qualys agents presently support various Windows, Mac, Linux, and Unix-based 
operating systems. 


Windows Linux Linux Linux 
exe (x86_64) rpm (x64) rpm (ARM64) deb (x64) 
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Linux Mac AIX BSD 
deb (ARM64) pkg (x64) bff .gz (Powers) txz (x64) 
yy De 
solaris solaris 
Solaris Solaris Linux PPC 64 LE Core OS 


pko 86.64 pkg (SPARC) rpm (pese) ta (x64) 
For a complete list of supported operating systems, see the “Platform Availability 
Matrix” within the Cloud Agent Getting Started Guide: 

https://www.qualys.com/docs/qualys-cloud-agent-getting-started-guide.pdf 
Configure Agents for VMDR 
Multiple VMDR applications are supported by Qualys Cloud Agent: 

= CyberSecurity Asset Management (CSAM) 

= Vulnerability Management (VM) 

=" Security Configuration Assessment (SCA) / Policy Compliance (PC) 

= Patch Management (PM) 


These supported application modules must be activated for your VMDR host assets. 


Click the following URL to view the “Configure Agents for VMDR” tutorial: 


Er? LAB 1 - https://ior.ad/7P9F 


Activation Keys can be configured from the Cloud Agent application or the VMDR 
“Welcome” page. 


Upgrade Agents with Activation Keys 


VMDR requires the activation of a purpose-built engine for detecting missing patches for Cloud Agents. Select 
Activation keys which you want to upgrade for VMDR. All the agents associated with those keys will be upgraded. 


E Manage Cloud Agent Keys 1-20of2 


=> ey MODULES AGENTS TAGS 


tt Unlimited Key 
Default VMDR Activation Key 

SCA | VM PM CSAM 
28f4b0cd-f622-42e0-a809-c12474161c3f sca | vm | PM | aa 


Minimum Module Activation Key EX Unlimited Key VMDR Lab 
549c7a3f-fc20-44bf-8c54-e74f234b95d8 


Upgrade Activation Keys to include the CSAM, VM, SCA, and PM application modules. 


Activation Key Tum help tips: On |Off X 


Edit the activation key 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By default 
this key is unlimited - it allows you to add any number of agents at any time. 


Title VMDR Lab Activation Key 


Select | Create 


Provision Key for these applications 


CyberSecurity Asset Management Patch Management 
Activations managed by CSAM 115 Activations Remaining 


Vulnerability Management Policy Compliance 
15 Activations Remaining 15 Activations Remaining 


Secure Config Assessment 
15 Activations Remaining 


While VMDR includes the “Security Configuration Assessment” module (by default), 
agent Activation Keys can be updated to include Policy Compliance (PC) instead of SCA. 


Activation Key Tagging Strategy 


Asset Tags provide an effective way to assign your agent host assets to their appropriate 
configuration settings, assessment profiles, and patch jobs. 


Unlike dynamic tags, static tags “stick” to their host systems. Once a “static” tag is 
assigned to a target host, it will remain assigned to that host, until it is manually 
removed or replaced. 


The non-dynamic or predictable nature of a static tag makes it especially useful for 
tracking host assets that are installed from the same Activation Key. 


Activation Key Tum help tips: On | Off X% 


Edit the activation key 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By default 
this key is unlimited - it allows you to add any number of agents at any time. 


Title VMDR Lab Activation Key 


Select | Create 


VMDR Lab 
This static tag will identify 
agent hosts deployed with 
Provision Key for these applications this Activation Key. 


CyberSecurity Asset Management 


Patch Management 
Activations managed by CSAM 


115 Activations Remainin; 


Vulnerability Management Policy Compliance 


15 Activations Remaining D 15 Activations Remaining 


Secure Config Assessment 
15 Activations Remaining 


O Set limits 


Close Unlimited Key | Save | 


The same Asset Tags that are assigned to agent Activation Keys can then be used to 
assign patching licenses to specific hosts and ensure agent hosts are correctly assigned 
to their appropriate Configuration Profile, Patch Assessment Profile, and Patch Jobs. 


For a detailed discussion of agent installation and configuration steps, see the “Cloud Agent” 
training course (qualys.com/learning). 


Passive Sensor 


Qualys Passive Sensor operates in “promiscuous” mode, capturing network traffic and 
packets from either a network TAP, or the SPAN port of a network switch. 


Physical 
1 Gbps sensor - up to 3K assets 
4 Gbps sensor - up to 15K assets 
10 Gbps sensor - up to 30K assets 


Virtual 


1 Gbps sensor - up to 3K assets 


Sensors deployed at lower layers of your network architecture (i.e., at distribution 
switches closest to LAN traffic) may require greater bandwidth capacity. 


Both physical (hardware-based) and virtual sensor appliances are available: 


Mirrored Traffic 
from Switch 


The Management Interface of the sensor appliance is assigned an IP address and must 
successfully connect to the Qualys Cloud Platform. 


The Sniffing Interface is not assigned an IP address and receives traffic from a network 
TAP or the SPAN port of a network switch. 


Cloud 


äm 


Mirrored Traffic 
from Switch 


Physical 
Interfaces 


An important advantage to capturing network traffic, comes from the bonus 
information collected from network conversations (conversations between 
communicating hosts). 


Traffic Details 
From: May 10, 2019 (10:49) 


To May 20, 2019 (10:49) 


Traffic by Family 


NI 


MB WebServices 202 MB 
B Electronic Mail 7 MB 
BW Unassigned 4MB 
E Other 2MB 


B IBM Systems.. 98KB 
13V 


Web Services 


May 20 2019 17:05 
May 20 2019 17:05 
May 13 2019 23:05 
May 13 2019 23:05 
May 13 2019 23:05 
May 13 2019 23:05 


May 13 2019 23:05 


192.168.249.103 0.0.0.0 
192.168.249.103 0.0.0.0 
192.168.248.157 0.0.0.0 
192.168.248.157 0.0.0.0 
192.168.248.157 0.0.0.0 
192.168.248.157 0.0.0.0 


192.168.248.157 0.0.0.0 


Client 


159me 


Total Ingress 


145.65 ME 


8.55 MB 
28.53 MB 
2.06 KB 
5.72 MB 
5.13 MB 
5.47 MB 


398.62 KB 


96m 


Total Egress 


52.29 MB 197.94 MB 


2.43 MB 10.98 MB 
887.78KB 29.4 MB 
538 B 2.58 KB 
4.27 MB 9.99 MB 
1.27MB 6.4MB 
1.44MB 6.91 MB 


369.26 KB 767.88 


A passive sensor not only collects the traffic from “managed” company assets, but it also 
sees traffic from other host assets and services that are attempting to communicate 
with your “managed” host assets (including communications coming from unknown or 
“unmanaged” assets). 


New assets typically appear in Qualys CSAM within 5-10 minutes. As more information is 
discovered it is aggregated across all assets and sent every 15 minutes. 


When your subscription is enabled for traffic analysis, summarized traffic information is 
sent to the Qualys Cloud Platform every 30 minutes for traffic analysis. 


Network Passive Sensor User Guides 
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Search documentation qualys.com/documentation 


Sensors 


Cloud Agents 
Scanner Appliance 


Network Passive Sensor 


Online Help v Stay up-to-date with the latest 
SNS Ie sensor features and specifications. 


Physical Appliance User Guide 
Virtual Appliance User Guide 
Deployment Guide 

Release Notes 


Training 


Look for “Network Passive Sensor” User Guides (under Sensors) in the Qualys 
Documentation Community (qualys.com/documentation). 


Cloud Connector 


Create connectors for your AWS, Google, and Azure accounts. 


w OO A 


Amazon Web Services Google Cloud Microsoft Azure 


Enumerate cloud instances and collect useful metadata such as: 
e Instance or virtual machine ID 


e Location or region 

e External and private IPs 

e Installed software and active services 
e and much more... 


Search Tip: Within the CyberSecurity Asset Management application, use the 
“inventory.source” query token, to quickly find AWS, Azure, and Google instances: 
e AWS-inventory.source: INSTANCE ID 


e Azure-—inventory.source:VIRTUAL MACHINE ID 
e Google-inventory.source:GCP INSTANCE ID 


Leverage Qualys Cloud Security Assessment (CSA), to identify and correct 
misconfigurations. 


Cloud Security Assessment Guide 


© Qualys ommunit Discussions Blog Training Docs Suppor 


Q, Search documentation qualys.com/documentation 


Cloud/Container Security 


Cloud Inventory 


Cloud Security Assessment 


Online Help 


API User Guide: HTML | PDF 


Release Notes 


Container Security 


Look for more information on Cloud Connectors, in the “CSA Getting Started Guide” on 
the Qualys Documentation Community (qualys.com/documentation). 
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Container Sensor 
Qualys Container Sensor is installed on a Docker host as a container application, right 


alongside other containers. 


Host / VM 


Once installed, CS will assess all new and existing Docker images and containers for 


vulnerabilities. 


= ER A 
dé GA 2 
Registry Build (CI/CD) 


General (Host) 


tar.xz 


tar.xz 


Types of Container Sensors: 
e General — Scan Docker hosts. 
Registry — Scan images in public or private registries. 


e CI/CD Pipeline — Scan images within CI/CD pipeline (e.g., Jenkins and Bamboo). 


For more information and details on deploying and using Qualys Container Sensors, see 
the “Container Security” training course (qualys.com/learning). 
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Container Runtime Security 

Qualys Container Runtime Security provides container runtime visibility and protection 
and allows you to create rules or policies to actively block or prevent unwanted actions 
or events within your container applications. 


© 

© 

© 

@ au 

© ul 

© auIeju0z 
© eu 

@ 121 

© ul! 

© 


This is achieved by instrumenting images with Container Security components that 
gather functional-level, behavioural data about the processes running within a 
container. 

We use an application-native instrumentation process that provides complete visibility of 
the application inside the container. The instrumentation is very lightweight and 
provides configurable data collection options with low\no impact on application 
performance. 

Behavioural data is used by Container Security to monitor process activity, allowing you 
to apply security policies and custom security controls, to block specific events or 
attempted activities. 

Container Runtime Security (CRS) can be deployed for both on-prem and cloud 
container environments and is particularly useful for securing containers in a CaaS 
environment where the underlying host infrastructure is managed by a cloud service 
provider. 


Presently, the Container Runtime Security instrumenter supports the following registries 
for instrumentation: 


e Public registries: Docker Hub 


e Private registries: v2-private registry: JFrog Artifactory (secure: auth + https) 
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Container Sensor User Guides 


© Qualys. Community Discussions Blog Training Docs Support 


Q Search documentation qualys.com/documentation 


Cloud/Container Security 


Container Security 
ne Heig 


User Guide 


Look for Container Sensor User Guides on the Qualys Documentation Community 
(qualys.com/documentation). 
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CyberSecurity Asset Management 


The Qualys CyberSecurity Asset Management application collects raw data from Qualys 
Sensors and then adds its own categorization, normalization and enrichment 
information. 


Qualys provides Level 1 and 2 categories for Hardware, Operating Systems, and 
Software Application assets. 


Hardware Classification 


Attribute Examples Search Token 


category (level1 / level2) Computer / Notebook hardware.category 
category (level1) Computer hardware.category.1 
category (level2) Notebook hardware.category.2 
full hardware name Dell Latitude e7470 hardware 
manufacturer Dell hardware.manufacturer 
product Latitude hardware.product 
model e7470 hardware.model 


The table (above) provides some useful examples of “hardware” tokens. 


To view all of the hardware categories in your account, group assets by hardware 
category (i.e., INVENTORY > Assets > Group Assets by... > Hardware > Category). 


Operating System Classification 


attribute examples Search Token 


category (level1 / level2) Windows, Unix, Linux, Mac, ... operatingSystem.category 
category (level1) Windows operatingSystem.category.1 
category (level2) Client operatingSystem.category.2 
full operating system name Windows 7 Enterprise (6.1 SP2) 64-Bit  operatingSystem 

publisher Microsoft operatingSystem. publisher 
name Windows 7 operatingSystem.name 
architecture 64Bit operatingSystem.architecture 
market version 7 operatingSystem.marketVersion 
version 6.1 operatingSystem.version 
update SP2 operatingSystem.update 
edition Enterprise operatingSystem.edition 


The table (above) provides some useful examples of “OS” tokens. 
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To view all of the OS categories in your account, group assets by operating system 
category (i.e., INVENTORY > Assets > Group Assets by... > Operating System > Category). 


Software Classification 


type Application, Driver, OS Update, Unknown software.type 
category (level1 /level2) Productivity > Productivity Suites software.category 
category (level1) Productivity software.category.1 
category (level2) Productivity Suites software.category.2 
full software name Microsoft Office 2016 (16.0.1.2) Professional 64-Bit software name 
publisher Microsoft software.publisher 
product Office software.product 
architecture 64-Bit software.architecture 
market version 2016 software.marketVersion 
version 16.1 software.version 
update 16.1.1.2 software.update 
edition Professional software.edition 


The table above provides some useful examples of “software” tokens. 


To view all of the software categories in your account, group software by software 
category (i.e., INVENTORY > Software > Group Software by... > Category). 


Click the following URL to view the “Search Using Categories” tutorial: 


PLAY À LAB 2 - https://ior.ad/7POv 
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Example Queries 


To build a dynamic tag for Windows-based systems, use the “Asset Inventory” rule 
engine with the following query: 


operatingSystem.categoryl:’Windows’ 


To build a dynamic tag for “Server” host assets, use the “Asset Inventory” rule engine 
with the following query: 


operatingSystem.category2:’Server’ 


To build a dynamic tag for Windows Servers, use the “Asset Inventory” rule engine with 
the following query: 


operatingSystem.category:Windows / Server 


The first value (Windows) is separated from the second value (Server) by the slash (“/”) 
symbol. 


Dynamic Rule-Based Tags 


Qualys CSAM provides multiple rule engines for creating dynamic Asset Tags. 
Asset Name Contains 
Asset Inventory 


IP Address In Range(s) 


IP Address In Range(s) + Network(s) 


Open Ports 
Cloud Asset Search 


Vuln(QID) Exist 


The “Asset Inventory” rule engine allows you to build tags using the Qualys Query 
Language and various query tokens, including the hardware, OS, and software category 
tokens. 


Click the following URL to view the “Dynamic Rule-Based Tags” tutorial: 


PLAY J Lab 3 - https://ior.ad/7NYu 
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Unidentified vs. Unknown 


The OS and Hardware values for some assets may be displayed as Unidentified or 
Unknown. This is especially common within the list of “Unmanaged” assets. 


Unidentified 


= Not enough data has been discovered/collected for Qualys to determine the 
hardware or operating system. 


= To reduce the number of unidentified assets in your account, attempt to 
perform scans in “authenticated” mode and ensure network filtering devices 
allow your scan traffic to pass. 


Unknown 


= Adequate data exists for Qualys to categorize the asset, but it has yet to be 
cataloged. 


= Assets are processed by Qualys labs for analysis and categorization. Qualys 
researchers review data and update the catalog daily. 
Managed vs. Unmanaged Assets 


With Qualys Passive Sensor, the CSAM application will help you to distinguish between 
1) Managed and 2) Unmanaged host assets. 


© Qualys 


CyberSecurity Asset Management 


e Assets Software 
Unmanaged @ 


1 5A TOP HARDWARE CATEGORIES 
Total Assets fae 


Managed assets in your account, will have known values for hostname, IP address, and 
MAC address. Newly discovered hostnames, IPs, and MAC Addresses will be initially 
labeled as new or “Unmanaged.” 


New data collected can potentially be merged with existing data only when: 
e Both IP address and MAC address have been successfully matched, or 
e Both IP address and hostname have been successfully matched. 


**NOTE: A single asset can potentially have multiple interfaces. 
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CMDB Sync 


With the Qualys CMDB Sync App, your ServiceNow CMDB can serve as another source 
of data. Also, ServiceNow CMDB can benefit from Qualys categorization, normalization, 
and data enrichment. 


To work successfully, the app needs to be installed in Qualys and ServiceNow. Once 
installed, metadata can move in both directions. Asset metadata synchronization is 
performed for assets already in Qualys and ServiceNow, concurrently (i.e., not for new 
asset discovery). 


Business Context Attributes 


Automatically import business context attributes from ServiceNow CMDB. 


businessApp:(businessCriticality 


businessApp:(environment 
businessApp:(id 
businessApp:(managedBy 
businessApp:(name 
businessApp:(operationalStatus 


businessApp:(ownedBy 


businessApp:(supportGroup 


businessApp:(supportedBy 


Click the following URL to view the “Business Context through CMDB Sync” tutorial: 


Eer EE 
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To implement ServiceNow CMDB Integration, a Qualys subscription with API access is 
required, along with the following application modules: 


e CSAM 
e Vulnerability Management 
Qualys provides two apps for integrating Qualys with ServiceNow CMDB: 
1. Qualys CMDB Sync App 
e Install the Qualys CMDB Sync App (available in ServiceNow Online Store) 
2. Qualys CMDB Sync Service Graph Connector App 


e Install the Qualys Service Graph Connector App (available in ServiceNow 
Online Store) 


e ITOM Visibility license in ServiceNow 


The Qualys CMDB Sync Service Graph Connector App, requires ServiceNow “Orlando” 
version or later. 


© Qualys mn Discussions loo Training Docs Support 


qualys.com/documentation 


Cloud Apps 

IT Asset Management 
Global AssetView 
CyberSecurity Asset Management 
AssetView 
CMDB Sync 
Qualys CMDB Sync Service Graph Connector App 
Qualys CMDB Sync App 


Certificate Inventory 


Look for both CMDB Sync User Guides within the Qualys Documentation Community 
(qualys.com/documentation). 
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Software Authorization Rules 
In CSAM, you can create different types of rules to define software authorization: 


Select Software 


Select the software to be included in the rule 


eZ Add Authorized Software GD (+ 


(v) : "| e Kë 7 E : 
Select applications, releases, publishers or categories that are explicitly authorized in this environment. 


Add Unauthorized Software @ Ə 


@ Select applications, releases, publishers or categories that are explicitly unauthorized in this environment. 


27 Needs Review © 


@ Select applications, releases, publishers or categories that needs to be reviewed before marking as Authorized or ES 
Unauthorized. 


1. Authorized — software is authorized for use. 
2. Unauthorized — software is NOT authorized for use. 


3. Needs review — review is required to determine software authorization. 


Click the following URL to view the “Software Authorization” tutorial: 


Lab 5 - https://ior.ad/70zQ 


Rules are designed for specific groups of assets. For example, while browsers are 
commonly authorized for use on desktop and laptop systems, they add greater risk to a 
host and should NOT be authorized for production servers. 


Authorization rules can be configured for specific application versions. 


Add Unauthorized Software (+) 


0 Software selected 


PRODUCT PUBLISHER CATEGORY CRITERIA VERSIONS/UPDATES 


Java SE Runtim. Oracle Application Development / Ru Below - Version Modify 13.0 


The example above does not authorize the use of the Java Runtime Environment (JRE) 
below version 13.0. 
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Software Authorization Tokens 


Once you have created one or more software authorization rules, search for 
authorized/unauthorized software using the “software authorization” tokens: 


e Authorized 


software: (authorization: ‘Authorized*) 


e Unauthorized 


software: (authorization: ‘Unauthorized*) | 


e Needs Review 


software: (authorization: ‘Needs Review"? 


Query results can be viewed by software name or impacted assets. Alternatively, create 


a “software authorization” report (i.e., REPORTS section), using the “software 
authorization” tokens. 
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Vulnerability Management 


Qualys VMDR and CSAM provide numerous tools and features for working with 
vulnerabilities, including dynamic Widgets and Dashboards, search and query tools, and 
the “Prioritization Report.” 


CSAM 


While vulnerability findings can be viewed from multiple Qualys applications, 
CyberSecurity Asset Management also provides some response capabilities. 


When viewing asset details from within the CSAM application, vulnerability findings are 
initially displayed graphically. 


< Asset Details: ws2016dfw242 


e INVENTORY inns i j ill- 
Vulnerabilities Point and click to drill down 
Asset Summary into vulnerability details. 
System Information Vulnerabilities by Severity 


S 


Open Ports 
Installed Software CONFIRMED VULNERABILITIES 


Traffic Summary 
40 Total 
Y SECURITY S Niy @s 
VMDR Prioritization 
Patch Management 


Certificates 


Qualys severity levels rank the potential impact or outcome of a successful vulnerability 
exploit. A “Severity 5” vulnerability is the most urgent, while a “Severity 1” vulnerability 
is the least urgent. 


Specific vulnerability details can be quickly displayed with a click of your mouse. 
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Patches for selected vulnerabilities can then be added to a new or existing patch job. 


< Vulnerabilities 


vulnerabilities.severity:[5] and vulnerabilities. typeDetected: [Confirmed] 9 Vulnerabilities 


ba Filters v 


91591 Microsoft Windows Security Update for December 2019 


( Fach Now v) 
Active k A 


91598 Microsoft .NET Framework Security Updates for January 2020 (Patch Now») 
Active 


100400 Microsoft Internet Explorer Remote Code Execution Vulnerability (AD... Add to New Job 


Active Add to Existing Job 
100402 Microsoft Internet Explorer Security Update for March 2020 VERMENG ener 
Active 


91609 Microsoft Windows Security Update for March 2020 Build Patch Jobs from 
Active Global IT Asset Inventory. 


Patch Now v) 


Microsoft Windows Security Update for Jupe 


In the CSAM application, patching and response tasks are performed “host-by-host.” To 
deploy patches pervasively (for a large number of assets), the tools in VMDR and PM 
provide a better solution. 


VMDR 


Once required assessment data is collected from Qualys scanners and agents, the 
VULNERABILITIES section of Qualys VMDR, displays your complete list of discovered 
vulnerabilities along with powerful search and query capabilities. 


Patch Jobs can be quickly and conveniently created for a specific list of high-risk 
vulnerabilities and assets, allowing you to deploy patches, based upon the 
vulnerabilities they actually fix. 


Click the following URL to view the “Vulnerability Findings” tutorial: 


PLAY J Lab 6 - https://ior.ad/7Ohq 
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After selecting one or more patchable vulnerabilities, click the “View Missing Patches” 
option, to build the list of required patches that are missing. 


© Qualys Cloud Platform 


VMDR TRIAL DASHBOARD VULNERABILITIES PRIORITIZATION SCANS REPORTS 


Vulnerabilities 


Vulnerability vulnerabilities.vulnerability.qualysPatchable: TRUE 


66 Asset tags.name:'Cloud Agent’ and activatedForModules:PM 


Total Detections 


M Actions (50) | Asset Group by... v ba Filters v 
=> View Missing Patches 


372508 Oracle Java SE Critical Patch Update - April 2020 


Active 


374827 Mozilla Firefox Multiple Vulnerabilities (MFSA2021-01) 
Active 


CATEGORY 


Local 


Mozilla Firefox 


Not all vulnerabilities are patchable. Patchable vulnerabilities must meet the following 
conditions: 


e Detected vulnerabilities must be associated with one or more patches found in the 
PM Patch Catalog (vulnerabilities.vulnerability.qualysPatchable:TRUE). 


e Detection Host must be running the Qualys Cloud Agent (tags.name:’Cloud Agent’). 
e Cloud Agent must have the PM module activated (activatedForModules:PM) 
The Qualys Cloud Agent performs the “Patching” function for the Qualys Platform. 
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Dashboards & Widgets 


Continuously monitor assets and vulnerabilities with any number of “out-of-box” 
Dashboards or build your own custom Dashboards and Widgets. 


© Qualys Cloud Platfor 


< Dashboard Templates 


Add or Customize Dashboard templates 


oR + Build from Scratch 


RansomWare (RW) Exposure 


Patch Efficiency - VULNs Sev... 


Created By: Qualys Created By: Qualys Created By: Qualys 
pulses 


La l ee 
< CSAM (4) Policy Compliance (1) Unified Dashboard (35) VMDR (16) Web Application Firewall (1) File Integrity Monitoring (6) EDR (5) Container Sec 
RansomWare (RW) Attack Ve.. ` Policy Compliance 


Baron SameditHeap-based b.. ` 


Click the following URL to begin the “Dashboards & Widgets” tutorial: 


Lab 7 - 


Widget Types 


https://ior.ad/703J 


Widgets are designed to display query results graphically. There are four different 


graphic options: 


1K PA dl C 


Widgets are automatically updated to reflect changes in your asset data and findings. 


Table 


Column 
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The “count” widget can be configured to change color, as changes to assets and 
vulnerability findings reach specific thresholds or special conditions. 


GH SEVERITY YULNERABIL TIES 


Choose a base color for the widget. This cake wil De displayed by detauk It no 
rules are wet 


Set Bose Color Me 


Viren diced rigai "— the targeted vuherasifties search {greuserd] 


When (= vn ue of fr: 


a 
greater than Di, bëienm in 


+ Ade another rule 


A superset (contains sf the assets from inital query 


A “reference” query in the count widget, is useful for comparing the “initial” query’s 
result set to some type of control or benchmark. The difference between the result sets 
of both queries is represented as a percentage. 


In the example above, HIGH severity vulnerabilities (Sev. 3, 4, 5) are presently about 
94% of ALL vulnerabilities (Sev. 1, 2, 3, 4, 5). The “count” widget is configured to change 
from its base color to red, when this percentage is greater than 50 percent. 
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Count widget types have the option to Enable Trending. When enabled, widgets can 
store trend data for up to 90 days. 


© Qualys 


< Edit Widget (VM) 


Query 1 


Vulnerability w | X vulnerabilities. status :REOPENED © 


Compare with another reference query 


Query 2 


Vulnerability w | X vulnerabilities.status:[NEW, ACTIVE, REOPENED] © 


Additional Options 
Enable Trending 


This widget will store its results each day for up to 90 days. The results will be plotted on 
a graph so that the data may be analyzed to identify trends. 


A trend line plotted on a graph will be added to the other information normally 
displayed in the widget. 


2021 


539 


139.56% 


showing last 91 days Ze 


7/13 Today 


The graphic perspective provided by the trend line will make it easier to visualize swings 
in momentum and to anticipate critical thresholds and milestones. 
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You can add one or more Asset Tags to a Dashboard through the Dashboard Editor. 


Edit Dashboard 
How do you want to edit this dashboard? 
Name * 


Vulnerability Management 


Show description on dashboard 


Set as default dashboard for this module 


Share/Categorize with following tags RemoveAll @ 


| Default Dashboard... x <= 


Cancel 


Add Widget 


The “Default Dashboard Access Tag” is created by Qualys. 


User Edit: Bob Slydell (quays2bs38) 


Edit Mode Edit role(s) and scope 


User Details C Allow user full permissions and scope (The user will have full access to everything) 


Each role grants you a set of permissions that will apply to the objects you have access to. 
Profile Settings 


New role 
Roles And Scopes 

Assigned roles Remove sil * Unassigned roles Add all & 
Action Log AUDITOR Remove ADMINISTRATOR Add 
Account Activity CAAPI Access Remove CLOUDVIEW User Add 


arem CONTACT 


Edit Scope 
C Allow user view access to all objects (Other permissions are granted by the users roles) 


Define what assets the user can access by tags. 
Global Scope Select | Create | Remove All 


Default Dashboard. <= 


C Exclude Agent assets from IP Range Tags 


Share dashboards with other Qualys users by assigning “dashboard” tag(s) to their 
accounts. 


For more information and details on Dashboard and Widget capabilities, check-out the 
Qualys “Reporting Strategies & Best Practices” training course (qualys.com/learning). 
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Threat Detection & Prioritization 


Use the VMDR Prioritization report to automatically prioritize the riskiest vulnerabilities 
for your most critical assets — reducing potentially thousands of discovered 


vulnerabilities, to the few that matter. 


VMDR Threat Feed 


The Threat Intelligence Feed provides a key element to the Prioritization Report. Focus 
remediation efforts on high-severity vulnerabilities with known or existing threats. 


© Qualys 


VMDR v 


Prioritization 


DASHBOARD VULNERABILITIES 


DEER Threat Feed 


PRIORITIZATION 


Search for threats by 
category, content, or 
publish date. 


KNOWLEDGEBASE USEI 


Le] 


V Impacted Assets 


E High 


BB High 


HIGH RATED FEED 429 


Microsoft Windows security update for October 2021... 


Live Threat Intelligence Feed Microsoft October 2021 patch Tuesday has 
arrived with the latest updates! In this months security update, Microsoft 
has fixed a total of 74 flaws including four zero-day vulnerabilities. Out o. 


2 days ago 07:00pm vy = 


B Low 


6 


MEDIUM / LOW RATED FEED 59 


Backdoor Account in Zyxel Products (CVE-2020-29583) 


Live Threat Intelligence Feed On December 23rd, 2020, Zyxel published an 
advisory for a hardcoded credential vulnerability. More than 100,000 Zyxel 
firewalls, access point controllers and VPN gateways are prone to this. 


* FAVORITES 5 


January 3,2021 fy = 


E High 
Microsoft Windows N 
Live Threat Intelligence F 


zero-day remote code exel 
component of the Interne 


Apple releases emergency update to address the arbitrar... 


Live Threat Intelligence Feed On Monday, Apple released an iPhone 
security update to fix a major vulnerability that is being exploited in the 
wild. With the latest patch, the corporation has now resolved a total of 1 


3 days ago 07:00pm fy = 


Click to view impacted assets 
within your subscription 


Ise issued a security 
severity in Pulse 
E-2020-8260 was. 


E High 
Most Exploited Vulng 
Live Threat Intelligence Fi 


Infrastructure Security re 
Security Centre (ACSC), th] 


0 ha las 0 


This Threat Intelligence Feed is provided by Qualys Threat & Malware Labs, along with 
several other exploit and malware sources. 


Other Threat Feed Sources 


Exploit Sources 


Source Type Data Type 


Malware Sources 


Source Type 


Core Security 


PoC Exploits mapped to CVEs Reversing Labs 


Exploit-DB 


PoC Exploits mapped to CVEs 


CVEs associated with 
malware 


Trend Micro 


Metasploit 


PoC Exploits mapped to CVEs 


Malware names 
associated with CVEs 


Contagio Dump 


Immunity 

- Agora 

- Dsquare 

- Enable Security 

- White Phosporus 


Google Project Zero 


Exploit Kits mapped to CVEs | McAfee 


Ransomware mapped to 
CVEs 


PoC Exploits mapped to CVEs 


* Qualys Threat Protection leverages 
exploit and malware data from 
multiple sources. 


Zero-Days mapped to CVEs 
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Prioritization Report 


By correlating vulnerability information with threat intelligence and asset context, The 
Prioritization Report will help you to “zero in” on your highest risk vulnerabilities and 
quickly patch them. 


The VMDR Prioritization report : 
e Guides you to target and quickly patch your highest risk vulnerabilities. 
e Helps you find the specific patch to fix a particular vulnerability. 


e Allows you to quickly identify and remediate the vulnerabilities that are most 
likely to get exploited. 


e Empowers security analysts to pick and choose the relevant threat indicators for 
your specific and unique organization. 


e Provides an integrated workflow that reduces the time between vulnerability 
detection and patch deployment. 


Click the following URL to begin the “VMDR Prioritization Report” tutorial: 


PLAY J Lab 8 - https://ior.ad/704V 


After selecting one or more Asset tags to specify report context, prioritization options 
are provided in three categories: 


Age 


Prioritize vulnerabilities by their age. Detection age is the number of days since the 
vulnerability was first discovered (e.g., by a scanner or cloud agent). The “Vulnerability” 
option will distribute vulnerabilities by actual or KnowledgeBase age. 
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Real-Time Threat Indicators (RTI) 


Prioritize vulnerabilities by their known and existing threats. 


Real-Time Threat Indicators (RTI) © Match All ` 


POTENTIAL IMPACT 


High Data Loss (36) High Lateral Movement (33) Wormable (0) 


Denial Of Service (30) Patch Not Available (19) Privilege Escalation (19) 


Unauthenticated Exploitation (0) Remote Code Execution (36) 


ACTIVE THREATS 


Active Attacks (17) Malware (12) Zero Day (0) Public Exploit (11) 


Predicted High Risk (13) Exploit Kit (0) Easy Exploit (19) 


Combine multiple threat indicators, using the “Match Any” or “Match All” operators. 
Current Real-time Threat Indicators are: 


High Data Loss - Successful exploitation will result in massive data loss on the host. 


High Lateral Movement - After a successful compromise, attacker has high 
potential to compromise other machines in the network. 


Denial of Service - Successful exploitation will result in denial of service. 
Patch Not Available - Vendor has not provided an official fix. 


Privilege Escalation - Successful exploitation allows an attacker to gain elevated 
privileges. 


Unauthenticated Exploitation - Exploitation of this vulnerability does not require 
authentication. 


Remote Code Execution - Successful exploitation allows an attacker to execute 
arbitrary commands or code on a targeted system or in a target process. 


Actively Attacked - Active attacks have been observed in the wild. This information 
is derived from Malware, Exploit Kits, acknowledgment from vendors, US-CERT and 


similar trusted sources. 


Malware - Malware has been associated with this vulnerability. 
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Zero Day - Active attacks have been observed in the wild and there is no patch from 
the vendor. If a vulnerability is not actively attacked this RTI will not be set (even if 
there is no patch from the vendor). If a patch becomes available Qualys will remove 
the Zero Day RTI attribute. 


Public Exploit - Exploit knowledge is well known and working exploitation code is 
publicly available. This attribute is set for example when PoC exploit code is 
available from Exploit-DB, Metasploit, Core, Immunity or other exploit vendors. 
While potentially increasing the probability of attack, this RTI does not necessarily 
indicate that active attacks have been observed in the wild. 


Predicted High Risk - Leverages machine learning to determine if a presently non- 
exploited vulnerability should be prioritized. 


Easy Exploit - The attack can be carried out easily and requires little skills or does 
not require additional information. 


Exploit Kit - Exploit Kit has been associated with this vulnerability. Exploit Kits are 
usually cloud based toolkits that help bad actors to identify vulnerable 
browsers/plugins and install malware. Search for Exploit Kits by name like Angler, 
Nuclear, Rig and others. 


Wormable - The vulnerability can be used by “worms” — to spread without user 
interaction. 


Solorigate Sunburst - Solorigate Sunburst has been associated with all the CVEs 
used by FireEye's Red Team tools to test the security of their client environments 
and compromised versions of SolarWinds Orion. 


Ransomware - This vulnerability has been exploited in attack vectors where 


ransomware has been deployed. In other words, this vulnerability is associated with 
known ransomware. 
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Attack Surface 


Attack Surface options provide additional context for the assets in the Prioritization 
Report. 


Attack Surface © 


Running Kernel 

Running Service 

Not Mitigated by Configuration 
Remotely Discoverable Only 


Internet Facing Only 


Use Attack Surface options to further refine the context already provided by the 
included Asset Tags. 


Running Kernel - It's possible that multiple kernels may be detected on the same Linux host. Toggle this filter On to filter out 
kernel-related vulnerabilities that are not exploitable because they were found on a non-running kernel. 


Running Service - Toggle this filter On to filter out service-related vulnerabilities that are not exploitable because they were 
found on a non-running port/service. 


Not Mitigated by Configuration - We may detect software on a host that is considered vulnerable, however there's a specific 
configuration present on the host that makes it not exploitable. Toggle this filter On to filter out config-related vulnerabilities 
that are not exploitable due to host configuration. 


Remotely Discoverable - Only Toggle this filter On to only include vulnerabilities that can be detected by a scanner using 
remote (unauthenticated) scanning. 


Internet Facing Only - Toggle this filter On to include assets with IP addresses that could be exploitable. Our system tag 
named Internet Facing Assets includes a range of pre-defined IP addresses. We automatically tag assets that matches this 
pre-defined IP address range in the tag. 


To view the complete range of IP addresses that are included in the Internet Facing Assets system tag, go to AssetView app, 


navigate to Assets > Tags and then select Internet Facing Assets tag. From the quick-action menu, select View and then click 
Tag Rule in the View mode to view the complete list of IP addresses defined in the tag. 


Once your priority options have been selected, click the “Prioritize Now” button. 


Prioritize Now 


The displayed assets, vulnerabilities and patches will reflect the priority options you 
specify. 
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< VMDR Prioritization 


Prioritized Assets © Prioritized Vulnerabilities © Available Patches © 
80% © Instances 28.51% © Unique © 
Ce | OU "` ` en 
of 15 of 651 
é 
L Vulnerabilities | Patch | Asset ) 
Vulnerability ¥ | @ Search... 
Group By: Vulnerability Y 1-50 of 114 
Deploy patches 
(CVE-2017-3167 Apache httpd Server ap_get_basic_auth_pw() Authentication Bypass Vulnerability individual ly. Now 
CvE2017-13886 SÉ å à à P 
g Apple macOS High Sierra 10,13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan N.. 370677 3 Patch Now 
CVE2017-5753 
4 Apple macOS High Sierra Supplemental Update / Safari 11.0.2 update (Spectre) 370716 3 Patch Now 
ene 19.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan N.. 370738 


As you continue to make adjustments to the priority options, the displayed 
vulnerabilities and patches are automatically adjusted. Patches can be deployed 
individually or all at once. 


Zero-Touch Patch Jobs 


Select the “Zero-Touch Patch Job” option from the VMDR Prioritization Report. 


<— VMDR Prioritization (C Export to Dashboard `) (C Save& Download `) 


Prioritized Assets © Prioritized Vulnerabilities © Available Patches © Details 
O 100% © Instances 21.86% © Unique © 
of total oftotal 
of 6 of 1.61K 


Zero-Touch Patch Job © 


Vulnerabilities | Patches | Assets 
Windows Patches 82 
View Missing Windows Patches 
Patch v Q Linux Patches 15 DI © 
View Missing Linux Patches 
Group By: — V 1 auer 97 D & & 


e Automates the selection of patches for recuring deployment jobs 
e Patches are selected using QQL 


e Patches meeting the query condition are included in scheduled deployment jobs 
(daily, weekly, monthly) 
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Patches will be expressed as query conditions. 


[Create: Windows Deployment Job | 


| 
| STEPS 4/9 
Select Patches 


| Basic Information 
| Choose the patches you want to install for the selected assets or create a query to automate the job. 
| 


Select Assets 


Select Pre-actions Manual Patch Selection » Automated Patch Selection 


Select manually from the available list of patches. Define QQL to automatically identify patches to remediate current and future vulnerabilities every time 


Select Patches the job runs. 


5 Select Post-actions Vulnerability 


X- (vulnerabilities. vulnerability: (threatIntel.malware:True or threatIntel.activeAttacks: 17 e 


6 Schedule 
Note: For optimum performance, only missing and non-superseded patches that match the QQL criteria will be added to the job. 


7 Options 


The query is generated from the options (Age, RTIs, and Attack Surface) selected in the 
Prioritization Report. 


Export to Dashboard 
Export the results of any VMDR Prioritization Report as a Dashboard Widget. 
< _ VMDR Prioritization Ve 


Prioritized Assets © Prioritized Vulnerabilities © Available Patches @ 


80% Instances 21.51% Unique 
of total of total 


of 15 of 671 


Results will be continuously updated within the Widget. 


VMDR » DASHBOARD VULNERABILITIES PRIORITIZATION SCANS REPORTS REMEDIATION ASSETS KNOV 


VMDR Sample + 


> Last 30 Days v © FRE 
Export and monitor “Prioritization 
PATCHES BY STATUS WORMABLE VULNERABILITIES Report” as a Dashboard Widget. 


Prioritized Assets Prioritized Vulnerabilities Available Patches 


Instances Unique 


12 185 | am 114 | 37 


of 15 of 671 


d 
Failed Successalread. 


ASSETS MISSING PATCHES BY PLATFORM MISSING PATCHES BY VENDORS 
B Microsoft. B Microsoft 1376 
\ © Microsoft...6 o B Apple 5 
B Microsoft..6 B Sun Mier. 5 


BR Microsoft.4 W Adobe 4 
E Microsoft..3 © Oracle 3 
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Prioritization Report Use Cases 


The VMDR Prioritization Report provides countless ways to combine Asset Context, 
Vulnerability Age, Real-Time Threat Indicators, and Attack Surface options. Here area 
couple use cases to demonstrate different approaches to building Prioritization Reports. 


Databases 


Hosts with large data stores are especially impacted by “High Data Loss” vulnerabilities. 


Click the following URL to view the “Prioritization Report Use-Case: Databases” 
tutorial: 


Er? Lab 9 - https://ior.ad/7MxG 


Internet Facing Assets 


Hosts with public interfaces are at greater risk because of their exposure to the Internet, 
especially with vulnerabilities that can be exploited without authentication. The risk 
becomes even more significant if the same host has vulnerabilities that can lead to 
privilege escalation. 


Click the following URL to view the “Prioritization Report Use-Case: Internet Facing 
Assets” tutorial: 


Er? Lab 10 - https://ior.ad/7MFs 
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Patch Management 


Along with the help of Qualys Cloud Agent, the Patch Management application provides 
the patch response functionality in VMDR. required 


Deployment Job 


While a patch assessment is useful for providing a list of “installed” and “missing” 
patches, “Deployment Jobs” perform the tasks of actually installing patches to host 
assets. 


Click the following URL to view the “Patch Deployment Job” tutorial: 
Er? Lab 11- https://ior.ad/7P9w 


Before creating any job, you’ll need to add “patchable” agent hosts to the “Licenses” tab 
(within the CONFIGURATION section of the Patch Management application). 


Patch Management DASHBOARD PATCHES ASSETS JOBS CONFIGURATION 
Configuration NOUR Licenses 
License Consumption 


Patch Management Total Consumption 


Type: TRIAL m) 
Expiring in: 24 days on 12 Sep, 2020 18:59 PM Status: Active 


100% 


License Details 


Licenses Purchased Licenses Used 
10 2 


Select assets for patch management 
Select asset tags to include or exclude for patch management. Total Consumption counter shows the number of licenses used 
based on the number of matching assets contained in the included asset tags. 


Include Assets Tags Select Tags 
| PMLab x 


Add Exclusion Asset Tags 


Use Asset Tags to include host assets for license consumption. The “Total Consumption” 
indicator is updated with the number of agent hosts labelled with the tag(s) included. 
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Create Deployment Job 


You can create a “Deployment Job” for agent host assets that are missing patches. 


Patch Management 


DASHBOARD 


PATCHES ASSETS CONFIGURATION 


<p Deployment Job, 
Uninstall Job wy 


While it is common to build a job from the JOBS section (of the PM application) jobs can 
also be created within the PATCHES and ASSETS sections. 


Select Assets 


Select the assets you want this job to deploy patches on. 
Include the following assets. 


| eczamaz-eyur25m x || ws2016DFW210 x 


Include hosts that have Any » of the tags below. 
Any 


| Weekly x All Any == OR 


| PMLab x 
All == AND 


Select Assets 


Select Tags 


You can add assets to a job by Host Name or by Asset Tag. If you include more than one 
Asset Tag, be sure to select an appropriate Boolean operator (i.e., Any or All). 


By default, the “Patch Selector” displays patches that are “Within Scope” of the host 


asset(s) your job is targeting. 


isSuperseded: "false" <= 


[ Within Scope | All | 


Security Cumulative.. © 
Published on Aug 10, 20. 


MS20-08-W10-... 


Security Cumulative.. © 
Published on Aug 10, 20. 


MS20-08-W10-... 


Servicing stack upd.. © MS20-08-SSU-... 


1-13 of 13 


KB4571694 


CVE-2020-1509 


81 more. 


KB4565349 


CVE-2020-1509 


89 more. 


- 


KB4566424 


For greater patching efficiency, consider selecting patches that have NOT been 
superseded (“isSuperseded:false”) to eliminate older, redundant patches. 


1 
Patches that display the O symbol will require a reboot. 
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If you attempt to add patches (to an existing job) that are already included, you will 
receive a warning message similar to the one below: 


1 or more patches listed below are already part of the selected job(s) or you might have exceeded the 
maximum number of patches per job. Continuing will not add these repeated patches in the respective 
job(s). 


À PatchNow_1596824962760 


Duplicate patches will not be added to a job. 


You can run jobs on demand, or you can schedule your jobs to run at a future date and 
time. 


Schedule Deployment 


Schedule the deployment job to run on demand or in the future. 


[on Demand RTE Schedule: Schedule the deployment job to run at a set time 


START DATE START TIME 
08/01/2025 Séi v| Recurring Job 
REPEATS START TIME 
Daily 12:00am 
Daily 
TIME Weekly 
Byde Monthly igent timezone. Set timezone 


Schedule jobs to run once, or to recur on a daily, weekly or monthly basis. 


You have the option to configure a “Patch Window” (i.e., “Set Duration” option), to 
restrict patching to a specific time frame. 


Patch Window 


You can configure a patch window to run the deployment job only within a particular time 
frame. 


None @) Set Duration =a 


Note: Setting this will restrict the agent to complete the job within the specified patch window (e.g., 


start time + 6 hrs). The job gets timed out outside this window. 


Patch Window 


6 Hours 


A host will display the “Timed out” status, if its installation does not start within the 
specified patch window. All other hosts that started within the specified window, will 
be allowed to finish. 


Select the “None” option to give Cloud Agent as much time as it needs to start and 
complete the job. 
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The Deployment and Reboot Communication Options, allow you to specify the type of 
“pop-up” messages end-users will receive, before, during and after job deployment. 
Pre-Deployment =p €D 


Display message to users before patch deployment starts. 
(If no user is logged in, deployment process starts per job schedule) 


TITLE 


Pre-Deployment 


MESSAGE 


Patching is about to begin. 


DEFERMENT: NUMBER OF DEFERMENTS: 


Remind againin | 1 Hours 3 times 


The “Deferment” settings provide active end-users the option to postpone the start of a 
job and to postpone a system reboot (if required). 


Reboot Request => €D 


Show a message to users indicating that a reboot is required. 
(If no user is logged in, the reboot will start immediately after patch deployment) 


TITLE 


Reboot Request 


MESSAGE 


Please reboot your system, to complete patch deployment. 


DEFERMENT: NUMBER OF DEFERMENTS: 


Remind againin | 1 Hours 3 times 


If no user is logged-in, patching will begin as scheduled and rebooting will start 
immediately following patch deployment. 


Additional Job Settings 


Enable opportunistic patch download 
The agent attempts to download patches before a scheduled job runs. 


The option to “Enable opportunistic patch downloads” potentially allows scheduled jobs 
to save time by attempting to download patches, prior to job execution. 
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Use the “Quick Actions” menu to view the progress of any job. 


IEDUL 


On Demand nn w 2tW81 On-demand 15 
Install Job 13,2020 


Scheduled - Run Once = Once, Nov 10 202012. 7 
Install Job M 13, 2020 


Recurring - Monthly Monthly on Second T.. 5 
Install Job 13, 2020 


Verify the status of each host targeted. 


Job Status 
Status | Description O O O 


Canceled — Blackout Patch deployment job is canceled on the asset due to blackout window 
Completed Patch deployment job is completed on the asset 

Downloaded Patch file is successfully downloaded on the asset 

Downloading — failed Patch failed to download on the asset 

Not licensed Job manifest cannot be sent as the asset does not have PM license 
Job started Agent has started the job 

Job resumed Asset is restarted and agent has resumed the job 

Job failed Agent encountered an error while executing the job 

Patching Patch job is running on the asset 

Pending Patch job is pending for execution on the asset 

Pending reboot Reboot activity is pending for the asset 

Rebooted Asset is restarted after patch installation 

Timed out Job is timed out 


Assets and patches can be added to a “Recurring” job, both before and after it is 
“Enabled.” Jobs that run only once, cannot be updated once they are enabled. 


Once patch deployment is complete, another patch assessment scan will begin 
automatically and the number of missing and installed patches will be updated for the 
affected host(s). 
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Patch Catalog 


The Patch Catalog contains tens of thousands of OS and application patches. Presently 
you can add up to 2000 patches to a single job. 


Click the following URL to view the “Patch Catalog” tutorial: 


DEE 1 12- ms ioradyrnec 


By default, only the latest (non-superseded) and missing patches are displayed. This is 
done to help you focus on the essential patches required by your host assets. 


Patch Status: Missing Only Latest Patches (Non-superseded) 
Yes 
2 Filters v = 
Patch Status 
[M] Missing 
Installed 
Firefox 79 FF 
Only Latest Patches (Non-superseded) 
Published o QF 
|v] Yes 
9 Javag Up JA 
Published on Jul 13, 2020 QJ 


To view ALL patches in the catalog, remove (uncheck) the “Missing” and “Non- 
superseded” filter options and then click somewhere outside of the “Filters” drop-down 
menu (to refresh the displayed patches). 
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APP FAMILY Quickly search for specific groups of patches in the Patch Catalog, using 


Windows 


Office the faceted search pane on the left. 
Net 
ice Viewer 
np Search for patches by: 
39 more 
VENDOR e Application Family 
Microsoft 
SE e Ve n d o r 
Adobe 
ree e Category 
CATEGORY e Type 
Security Patches 
earls e Vendor Severity 


di e Reboot Requirements 


os 
Application 


GE For more sophisticated queries, use Query Tokens and the Qualys 
None Query Language (QQL) in the “Search” field, at the top of the Catalog. 


Important 
Critical 


Moderate Any query entered into the “Search” field will be affected by the 
current filtering options. Be sure to verify the filter options, prior to 


REBOOT REQUIRED Beatie à 
= submitting queries. 


Patches identified with the “key-shaped” icon, cannot be downloaded by Qualys’ Cloud 
Agent. This is often the case, when patches first require credentials prior to downloads. 


Type the following query into the “Search” field and press the “Enter” key: 


downloadMethod:AcquireFromVendor 


Patch v downloadMethod:AcquireFromVendor 
Y Filters v 
Microsoft Power BI De... ® X64X.  PBID-200728 
Published on Jul 27, 2020 QBI2835894881 
Microsoft Power BI De... WW X64 PBID-200728 
Published on Jul 27, 2020 QBI2835894881 


If attempting to add these patches to a job, they will not be included. 
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The “Rollback” patches in the catalog are candidates for an Uninstall Job. Not all 
patches can be uninstalled. 


Patch v 


isRollback: true {= 
- SP Fitters v 1-50 of 85 


View Details 


Add to Existing Job 
Add to New Job 


a Remove Patch qa O x64 MS20-08-IE-4571687 OS 91332 1 0 
Si "2020 KB4571687 88 more. 
August 11, 2020-KB45... © xe4 MS20-08-S081-457... OS 373321 1 0 
Published on Aug 10, 2020 KB4571723 Tmore 
Security Monthly Rollu. © x64 MS20-08-MR81-457... OS 91413 1 0 
Published on Aug 10, 2020 K] 7) 299 more. 


Use the ‘isRollback’ query token to list rollback patches: 
isRollback: true 


Patch jobs can also be created and updated from within the PATCHES section of the 
Patch Management application. 
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Prioritized Products List 


Click the “Prioritized Products” button (in the PATCHES section) to view a list of your 
software applications and products, ranked by the number of vulnerabilities each 
product added to your environment. 


© Qualys 


Patch Management v DASHBOARD PATCHES ASSETS JOBS CONFIGURATION 


Patch Catalog 


88 


Total Patches 


Products at the top of the list are associated with the greatest number of vulnerabilities. 
The Qualys Platform provides the unique capability to target and deploy patches based 
on the relationship between products, patches and their associated vulnerabilities. In 
some cases, applications that contribute a large number of vulnerabilities, are common 
client applications that are relatively resilient to the impact of frequent patching. 


© Qualys. t 
a Zaev] e 
View Related Patches VULNERABILITIES 
e 
9710 
Windows 7498 
Firefox 3608 
Edge 1856 
Java 1260 
Internet Explorer 718 


Select specific applications from the list and use the “Actions” button to “Create Job 
using Query.” 


A query designed to patch the selected application(s) is constructed automatically (using 
aal). 


Patch jobs of this type will keep the selected products updated when new patches 
become available. Achieve “zero-touch” patching by scheduling this job to run daily, 
weekly, or monthly. 


For more assessment and patching details, enroll in the “Patch Management Self-Paced 
Training” course (qualys.com/learning). 
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VMDR Certification Exam 


Participants in this VMDR training course have the option to take the VMDR Certification 
Exam. This exam is provided through our Learning Management System 
(qualys.com/learning). To take the exam, candidates will need a “learner” account. 


© Qualys. Training & Certification 


qualys.com/learning 


Login 


Please log in to the Qualys training site. First time users 
need to create an account. 


*Required Field 


*Username: 


* Password: 


Forgot your password? Request a new account. = 


If you would like to take the exam, but do not already have a “learner” account, click the 
“Request a new account” link (above), from the “Qualys Training & Certification” login 
page (qualys.com/learning). 

Once you have created a “learner” account (and for those who already have an 
account), click the following link to access the “VMDR OVERVIEW - OSC 2021” course 
page: 


https://gml.geolearning.com/geonext/qualys/scheduledclassdetails4enroll.geo?&id=22511237824 
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© Qualys. Training & Certification 


MyHome+ Learner Information ~ å- 


Course Catalog: Class Details @ 


Course: Qualys VMDR Overview - QSC 2021 Close Record 


CLASS DETAILS: VMDR OVERVIEW - QSC 2021 
Course Name: Qualys VMDR Overview - QSC 2021 
Class Name: VMDR overview - QSC 2021 
Class Code: 2250729076520210917125826 
Contact Name: Phil Niegos 
Private Class: Yes 


Maximum Class 5000 
Capacity: 


Class Cost: $0.00 


Session Name Location Classroom Address Address Times Instructor(s) 


a 


Session 1 Monday, November 15, 2021 9:00 AM to 1:00 PM Philip Niegos 


(America/Los_Angeles) (UTC -07:00) 


From the “VMDR Overview — QSC 2021” course page, click the “Enroll” button (lower- 
right corner). 


After successfully completing the course enrollment, click the “Launch” button, for the 
Qualys VMDR Exam. 


© Qualys. Training & Certification 


My Home ~ Learner Information ~ å- 


Qualys VMDR Overview - QSC 2021 


Progress: Not Attempted Status: Enrolled Required: No Duration: 4 hours 
Class Name Date Classroom Instructor(s) 
VMDR Overview - QSC 2021 Monday, November 15, 2021 9:00 AM to 1:00 PM (America/Los_Angeles) (UTC -07:00) N/A Philip Niegos 


To access a learning activity, select the activity name and click Launch or Open. 


Activity Name a Type Score Progress Attempts Action 


OSC 2021 VMDR Overview Lab Supplement fl paf N/A N/A 0 


QSC 2021 VMDR Overview Slides fl paf N/A N/A 0 | open | 


VMDR Exam Actual Test N/A Not Attempted N/A => Launch 


Each candidate is provided five attempts to pass the exam. 
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© Qualys. Training & Certification 


MyHome» Learner Information + ê- 
@ 
Qualys Vulnerability Management Detection & Response - QSC 2020 Guoini 


Progress: Completed Status: Enrolled Required: No Duration: 6 hours 


=> Print Certificate 


Class Name Date Instructor(s) 


VMDR - QSC 2020 Tuesday, November 17, 2020 9:00 AM to 4:00 PM (America/Los_Angeles) (UTC -08:00) Philip Niegos 


To access a learning activity, select the activity name and click Launch or Open. 


Activity Name à Type Score Progress Last Accessed Action 
QSC20 VMDR Lab Tutorial Supplement pdf N/A N/A N/A | open | 
QSC20 VMDR Presentation Slides Epaf N/A N/A N/A ES 
Qualys Vulnerability Management Detection & Response (VMDR) Exam Actual Test 100% Passed 11/3/2020 7:38:14 PM Ey 


With a passing score of 75% (or greater), click the “Print Certificate” button to download 
and print your course exam certificate. 


VMDR Course Survey and Trial Account 


Please lets us know what you think about the “VMDR Overview” training course. Link to 


Survey - https://forms.office.com/r/rsyOAja6Xz 


Would you like a VMDR trial account to practice and experiment with the lessons and 
topics provided in this course? 
Link to Trial - https://www.qualys.com/forms/vmdr. 


48 


Appendix A: Additional VMDR Applications 


While this “VMDR Overview” training course focuses on four Qualys applications (e, 
Al, VM, TP, and PM), there are more VMDR applications that address and mitigate 
vulnerabilities as well as enforce security policies. 


Security Configuration Assessment (SCA) 


Monitor and assess technical security controls and security-related misconfigurations. 
Qualys Scanners and Agents collect the data points needed to perform host compliance 
assessments. 


Create a New Policy 


Ee Policy from Library: Choose from one of the policies in our library. 


Find the policy that best suits your needs. The SCA policies are certified by the CIS for the CIS benchmarks, which provide secure configuration guidelines 
to identify and remediate the security vulnerabilities for a wide range of technologies. The out of the box policies have controls, pre-configured as per the 
recommendations from the CIS. Click on one of the required CIS policies below, and then click Next to import it. 


Technologies Policies (408) 


O aix6.x 
] AIX 7.x 
Amazon Linux 2 AMI M Version 8.0 05/17/2020 View Description | View Policy 


a CIS Benchmark for IBM AIX 6.1, v1.1.0 [Scored, Level 1] 


Updated _] Amazon Linux AMI 


cis [C] Apache HTTP Server 2.2.x CIS Benchmark for IBM AIX 6.1, v1.1.0 [Scored, Level 1 and Level 2] 
_] Apache HTTP Server 2.4.x M Version 7.0 05/17/2020 View Description | View Policy 
Remote Apache Tomcat 6.x 
[C] Apache Tomcat 7.x 
CIS Benchmark for Apache Tomcat 6.0 v1.0.0 [Scored and Not Scored, Level 1] 

Apache Tomcat 8.x g 

C] Apache Tomcat 9.x M Version3.0 10/29/2019 View Description | View Policy EZ 
C Apple Safari 11.x 


LJ Apple Safari 12.x CIS Benchmark for Apache Tomcat 6.0 v1.0.0 [Scored and Not Scored, Level 1 and Level 2] 
] Apple Safari 13.x @ version: 


) 10/29/2019 View Description | View Policy E) 


Qualys SCA provides over 400 CIS Benchmark Policies for hundreds of OS and 
application technologies. All compliance scans are performed using the "Scan by Policy" 
option. 


Qualys SCA contains a subset of the tools and features found in the Qualys Policy 
Compliance application. For more information and details, please see the Qualys Policy 
Compliance Self-Paced Training Course (qualys.com/learning). 
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CloudView & Cloud Security Assessment (CSA) 


Continuously monitor and assess your PaaS/laaS resources for misconfigurations and 
non-standard deployments. 


ews Q A 


Amazon Web Services Google Cloud Microsoft Azure 


With Qualys Cloud Connectors and the Qualys CloudView application, you can 


enumerate your cloud instances and collect metadata from your AWS, Google Cloud, 
and Microsoft Azure accounts: 


Azure Function App Best Practices Policy 


AWS Best Practices Policy 

GCP Best Practices Policy 

GCP Cloud Functions Best Practices Policy 

CIS Amazon Web Services Foundations Benchmark 


Azure Best Practices Policy 


With Qualys Cloud Security Assessment (CSA) you can leverage “out-of-box” policies to 


assess technical controls and identify security-related misconfigurations, for your AWS, 
Azure, and Google accounts. 


Ensure console credentials unused for 90 days or greater are disabled 
Policy : CIS Amazon Web Services Foundations Benchmark 


Ensure access keys unused for 90 days or greater are disabled 


14 
Policy : AWS Best Practices Policy 


em 
CS wegen 


TOTAL EVALUATIONS 


RE 2.21 


D pass. 1.07K 
@ AL 1.14K 


50 


Container Security (CS) 


The Qualys Container Security application uses the same KnowledgeBase as Qualys VM 
and VMDR , to assess and detect vulnerabilities in Docker images and containers. 


Qualys Container Sensor downloads as a Docker image and is installed on a Docker host 
as a container application, right alongside other container applications. 


Presently, there are 3 different types of Container Sensors: 
1. A General Sensor will scan images and containers on a single docker host. 
2. A Registry Sensor will scan images in public and private Docker registries. 


3. ACI/CD Pipeline Sensor (also referred to as a "Build" sensor), scans images 
within your DevOps CI/CD pipeline projects, allowing you to identify and correct 
vulnerable images, during the build process. Integrations with Jenkins and 
Bamboo are presently supported. 
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Another feature in the Qualys Container Security application is Container Runtime 
Security, which provides runtime visibility and protection into container applications. 


This is achieved by instrumenting images with Qualys Container Security components, to 
gather functional and behavioural data about the container’s running processes; 
thereby allowing you to create rules and policies that actively block or prevent 
unwanted actions or events. 


JaUI 


© © © © 


© © © © © 


© sue] 


As one example, you could build a policy that prohibits access to sensitive system files, 
such as the shadow or passwd files on a Linux host. 


The instrumentation process places a few binaries into the image at the security layer. 
This application-native instrumentation process provides complete visibility of the 
application inside the container. The instrumentation is very lightweight and provides 
configurable data collection options with low\no impact on application performance. 
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CertView (CERT) 


Qualys CertView provides visibility into certificates and their configurations, across your 
network and enterprise architecture (on-premise and doud based). 


CertView leverages Qualys Scanner Appliances to collect all the certificate, vulnerability 
and configuration data required for inventory and analysis, helping you to identify and 
prevent expired and expiring certificates from interrupting business functions. 


Certificate Alert 


CERTIFICATE VIEW 


te www.qualys.com installe 


View Certificate 


Qualys CertView also provides the ability to enroll or renew certificates to avoid potential 
service interruptions. 


Certificate Assessment generates certificate instance grades that allow administrators to 
quickly assess server SSL/TLS configurations. 


< Grade Summary: www.ssllabs.com 


Grade Summary for Host Instance 


www.sslilabs.com 
NetScale 


Certificate Details 


Certificate Assessment identifies out-of-policy certificates with weak signatures or key 
lengths and shows you how many certificates were issued by Certificate Authorities (CAs) 
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that have been vetted and approved (per your policy) and how many certificates are self- 
signed or were issued by CAs that have not been authorized to issue certificates in your 
environment. 


For more information and details, please see the Qualys Certificate View video series 
(https://www.qualys.com/training/library/certview/). 


Continuous Monitoring (CM) 


Get alerts when new threats and unexpected changes to your hosts are detected, 
including: 


= New hosts detected within your Qualys subscription. 

= High severity vulnerabilities and vulnerabilities with known exploits detected. 
= New ports and services detected. 

= New or unexpected software applications detected 

= Expiring or vulnerable SSL certificates 


= Remediation tickets that are opened or closed 


LC © GI = lò ` Ip 


Host Vulnerability Certificate Port / Service Software Ticket 


CM works in tandem with VM/VMDR: 


=" Deploy Qualys Scanner Appliances and/or activate the VM module for deployed 
Qualys Agents. 


= Schedule frequent or continuous vulnerability scans. 


Qualys CM evaluates rules against your most recent vulnerability scans. Alerts are 
generated as soon as scan results are processed. Certificate rules are evaluated daily, 
and are not based on scans. 


For more information and details, please see the Qualys Continuous Monitoring video 
series (https://www.qualys.com/training/library/continuous-monitoring/). 
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VMDR for Mobile Devices 


Qualys Secure Enterprise Mobility (SEM) provides visibility into your mobile devices by 
collecting their inventory and configuration data. 


M Android os "'" EH is“ 
M Android Things BH Macos 
tA a 
M Android TV é) IW al M Apple Watch 
Wis Chrome OS (49) Cl RB Apple Tv 
M ` wear Os M ` windows 10 


Your company's mobile device inventory is added to the Qualys CSAM application, 
providing you with greater insight into mobile devices that are managed vs. unmanaged 
(especially when combined to Qualys Passive Sensor). 


Qualys vulnerability and compliance assessments help to keep your mobile devices 
hardened and secure. Vulnerability assessment tests are provided for both OS and 
applications. 


Compliance assessment examples include: passcode not present, encryption status, 
unauthorized root access (rooted), etc... 


With Qualys SEM, you can perform active device operations, like locking a screen or 
locating a missing device. 


55 


